Is kankinku/aegis-intel-stack safe?

https://github.com/openclaw/skills/tree/main/skills/kankinku/aegis-intel-stack

89
SAFE

The aegis-intel-stack skill is a documentation-only SKILL.md bundle with no executable code, no prompt injection, and clean canary file integrity. The primary concerns are an anomalous embedded .clawhub/lock.json that declares a dependency on the unaudited academic-research-hub skill (potential supply-chain vector if the platform auto-processes bundled lock files), and the skill's EVM 're-buy trigger' framing which could cause an agent with shell access to execute unsupervised on-chain financial transactions. All monitored canary file accesses are consistent with audit infrastructure snapshots, not skill-initiated reads.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (8)

MEDIUM Embedded .clawhub/lock.json references undisclosed dependency skill -5

The skill ships a .clawhub/lock.json inside its own directory that declares academic-research-hub v0.1.0 as an installed dependency. If the ClawHub platform processes bundled lock files upon skill installation, this would silently install an unaudited second skill. The dependency is not mentioned in SKILL.md, has no audit trail, and predates this skill's publish timestamp.

MEDIUM Automated EVM re-buy trigger logic with agent tool access -20

The skill summary explicitly describes 'manifest/delta re-buy triggers' — language consistent with automated DeFi purchasing or rebalancing. Combined with an agent that has shell/network tool access, the intel_delta_update skill could issue on-chain transactions without explicit per-transaction user approval.

LOW intel_delta_update implies external state synchronization to undisclosed endpoint -8

The skill exposes an intel_delta_update micro-skill that by name implies pushing delta updates to a remote manifest. No endpoint, authentication model, or data schema is documented in SKILL.md, making it impossible to assess what data is transmitted.

LOW Launch automation scripts could exfiltrate context data -7

SKILL.md includes npm run launch:profile, launch:changelog, and launch:metrics commands that generate publish_profile.md, CHANGELOG.md, and metrics_report.md. If an agent runs these commands, the resulting documents could be submitted to external services by the underlying launch-agent code.

LOW Agent instructed to execute npm install, build, and run server -8

An agent following SKILL.md would: run npm install (potentially fetching arbitrary npm packages), copy a .env file, build, and launch a local HTTP server on port 8787. While documented behavior for a dev skill, the npm dependency tree is not auditable from the SKILL.md alone.

LOW Bundled lock.json could influence platform dependency resolution -8

Shipping a .clawhub/lock.json within a skill directory is an unusual pattern that may exploit platform dependency resolution logic, causing automatic installation of academic-research-hub without user consent or audit.

INFO No executable code shipped in skill bundle 0

The skill contains only SKILL.md, _meta.json, and .clawhub/lock.json. No package.json, JavaScript, TypeScript, shell scripts, git hooks, or submodules were present. The skill is documentation-only.

INFO Clean git sparse-checkout install from expected monorepo 0

Installation used authenticated git sparse-checkout from github.com/openclaw/skills.git, targeting only the skills/kankinku/aegis-intel-stack subpath. No additional network calls or process spawning occurred that was attributable to the skill content.